Welcome to the Picus 10 Critical MITRE ATT&CK Techniques report that is based on the in-depth research from Picus Labs, the research arm of Picus Security.

As a result of the comprehensive analysis of tens of thousands of real-world threat samples collected from numerous sources, Picus Labs unrevealed the most prevalent ATT&CK techniques and tactics to help you focus on what significantly improves your security.

Executive Summary

In 2019, Picus Labs analyzed 48813 malware to determine tactics, techniques, and procedures (TTPs) used by adversaries in these malicious files. Picus Labs categorized each observed TTP by utilizing the MITRE ATT&CK® framework. As a result of the present research, 445018 TTPs observed in the last year were mapped to ATT&CK to identify the top 10 most common techniques used by attackers.

This research has found that Process Injection was the most prevalent technique, and Execution and Defense Evasion were dominating tactics observed in 2019. The findings of this research provide insights for better prioritization of risks and security operations by presenting the most prevalent attack techniques, threat actors using these techniques, and red and blue team exercises for them.

Key Findings

  • The most common technique was T1055 Process Injection[1] that allows evading security controls (Defense Evasion[2]) and gaining higher-level privileges (Privilege Escalation[3]) by executing code under a legitimate process.

  • The most prevalent tactics are Defense Evasion and Execution, which indicates attackers' interests in staying under the radar of security controls. They are constantly developing new evasion and execution techniques to avoid security solutions.

  • Attackers frequently use native Windows command-line and scripting tools to execute commands such as PowerShell, cmd.exe, and VBScript. These tools allow attackers to perform sophisticated actions and avoid security controls by directly interacting with Windows OS. 

  • As the third most common technique, adversaries use Credential Dumping[4] to obtain credentials from the operating system and software for performing Lateral Movement[5] and accessing restricted information and software.

MITRE ATT&CK Framework

MITRE ATT&CK is an open source knowledge base of adversary tactics and techniques based on real-world observations. ATT&CK provides a common taxonomy of tactics and techniques to better classify adversary behaviors. While a tactic specifies a goal that an adversary is trying to achieve, a technique represents how an adversary accomplishes the tactic by performing an action.

The MITRE ATT&CK Windows Matrix for Enterprise[6] consists of 12 tactics: Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration and Impact. There may be many techniques to achieve a tactic, so there are multiple techniques in each tactic category. Similarly, a technique may be categorized into multiple tactics. For example, the Process Injection technique is used by attackers for Defense Evasion and also Privilege Escalation. Currently, the ATT&CK Windows Matrix includes 222 unique techniques.

Methodology

Picus simulates adversarial TTPs in networks and endpoints by mimicking actions of threat actors and their malware without adversely affecting any network or systems. To build adversarial attack scenarios, Picus Labs analyze hundreds of malicious files with the help of internal tools, and open source and commercial sandboxes. Sources of these files include but are not limited to commercial and open-source threat intelligence services, blogs and white papers of security vendors and researchers, social media, malware sandboxes, and forums.

The red team analysts of Picus Labs evaluate the results and examine indicators to identify malicious actions for building attack scenarios. Then, our blue team analysts examine the effects of these malicious actions on security controls and endpoints, and develop actionable prevention signatures and detection rules for them. As building blocks of attack scenarios, each malicious action is mapped to a technique of the MITRE ATT&CK framework to ground the scenarios in a common taxonomy.

In 2019, Picus Labs analyzed 56149 unique files. 48813 of them (87%) are categorized as ‘malicious’. 445018 actions are extracted from these files, which means an average of 9.12 actions per malware on average. Since multiple actions may be relevant to the same technique, they are mapped to an average of 7.43 MITRE ATT&CK techniques per malware. Therefore, a dataset of 362637 MITRE ATT&CK techniques is used for this report.

 

Top Ten Techniques Visual-1

 

Picus 10 Critical MITRE ATT&CK Techniques

Click on a technique to explore how to simulate the technique (red team exercise), how to detect and mitigate the technique (blue team exercise), and which threat actors and malware use these techniques on which targets.

1

T1055 Process Injection

Tactic: Defense Evasion, Privilege Escalation

19%
of total malware

2

T1086 PowerShell

Tactic: Execution

16%
of total malware

3

T1003 Credential Dumping

Tactic: Credential Access

15%
of total malware

4

T1036 Masquerading

Tactic: Defense Evasion

11%
of total malware

5

T1059 Command-line Interface

Tactic: Execution

9%
of total malware

6

T1064 Scripting

Tactics: Defense Evasion, Execution

7%
of total malware

7

T1053 Scheduled Task

Tactic: Execution, Persistence, Privilege Escalation

6%
of total malware

8

T1060 Registry Run Keys / Startup Folder

Tactic: Persistence

6%
of total malware

9

T1082 System Information Discovery

Tactic: Discovery

5%
of total malware

10

T1089 Disabling Security Tools

Tactic: Defense Evasion

5%
of total malware

Comparison with Other Top ATT&CK Techniques Lists

Apart from our report, there are valuable studies on top ATT&CK techniques. The following table presents the top 10 lists prepared by CrowdStrike[7], Recorded Future[8] and Red Canary[9] (lists are sorted by name) and the common techniques between these lists. In these lists, various techniques will be listed differently, but diversity does not necessarily signify inaccuracy or incompleteness. Since different methodologies and threat samples were used when creating the lists, it is natural to see different results.

 

picus-logo-small

crowdstrike-logo-small

rf-logo-small

redcanary-logo-small

1

Process Injection
Masquerading
Security Software Discovery
Process Injection

2

PowerShell
Command-line Interface
Obfuscated Files or Information
Scheduled Task

3

Credential Dumping
Credential Dumping
Process Injection
Windows Admin Shares

4

Masquerading
PowerShell
System Information Discovery
PowerShell

5

Command-line Interface
Hidden Files and Directories
Process Discovery
Remote File Copy

6

Scripting
Process Injection
Software Packing
Masquerading

7

Scheduled Task
Registry Run Keys / Startup Folder
DLL Side-Loading
Scripting

8

Registry Run Keys / Startup Folder
System Owner/User Discovery
Data Encrypted
DLL Search Order Hijacking

9

System Information Discovery
Account Discovery
Execution Through API
Domain Trust Recovery

10

Disabling Security Tools
Scripting
Standard Cryptographic Protocol
Disabling Security Tools 

Limitations

The reader should bear in mind that this research is based on malicious activities of malware after infecting target systems. Therefore, the research is unable to encompass techniques in the Initial Access tactic, which are used by adversaries to gain a foothold in the target network. It should be noted that the Initial Access techniques such as Spearphishing Link (T1192)[10] and Spearphishing Attachment (T1193)[11] are also frequently used by attackers.

Due to the design of the MITRE ATT&CK framework, a malicious action may be mapped to multiple techniques and some techniques are overlapped. For example, Emotet malware uses an obfuscated VBA macro code that includes a command executed by cmd.exe that consists of a malicious PowerShell code. Therefore, running this VBA macro code can be mapped to Scripting (T1064), Command-Line Interface (T1059), and PowerShell (T1086)[12]. However, malware sandboxes map a malicious action to a single technique.

Conclusion

This research has shown that seven of the Top 10 ATT&CK techniques are categorized in the Defense Evasion and Execution tactics. Adversaries frequently inject malicious code into legitimate processes (T1055 Process Injection), use names and locations of legitimate programs for their malicious files (T1036 Masquareding), and execute malicious code using legitimate scripting languages such as VBScript, PowerShell and command-line batch scripts (T1064 Scripting).

Therefore, adversaries commonly use legitimate software to avoid detection and prevention of security controls. Moreover, adversaries endlessly find new methods to evade security defenses. Effective mitigation of these techniques requires challenging each security control in your security stack with the same attack techniques used by adversaries, finding gaps in your security controls, and improving defense by closing these gaps.

The Picus platform continuously challenges your security controls in production with thousands of real attack techniques and identifies gaps in your security stack. Moreover, Picus provides actionable prevention signatures and detection rules to remedy security controls against unblocked and undetected attacks. As a result, organizations can prevent and detect adversarial TTPs including Defense Evasion techniques, get the maximum benefit from their security investments, quantify their risks, and increase their resilience. Because of our unique approach, Picus was recognized as a Cool Vendor in Security and Risk Management in the 2H19 report by Gartner.

References

  1. “Process Injection, Technique T1055 - Enterprise | MITRE ATT&CK®.” [Online]. Available: https://attack.mitre.org/techniques/T1055/. [Accessed: 21-Apr-2020]
  2. “Defense Evasion, Tactic TA0005 - Enterprise | MITRE ATT&CK®.” [Online]. Available: https://attack.mitre.org/tactics/TA0005/. [Accessed: 21-Apr-2020]
  3. “Privilege Escalation, Tactic TA0004 - Enterprise | MITRE ATT&CK®.” [Online]. Available: https://attack.mitre.org/tactics/TA0004/. [Accessed: 21-Apr-2020]
  4. “Credential Dumping, Technique T1003 - Enterprise | MITRE ATT&CK®.” [Online]. Available: https://attack.mitre.org/techniques/T1003/. [Accessed: 21-Apr-2020]
  5. “Lateral Movement, Tactic TA0008 - Enterprise | MITRE ATT&CK®.” [Online]. Available: https://attack.mitre.org/tactics/TA0008/. [Accessed: 21-Apr-2020]
  6. “Matrix - Enterprise | MITRE ATT&CK®.” [Online]. Available: https://attack.mitre.org/matrices/enterprise/windows/. [Accessed: 22-Apr-2020]
  7. CrowdStrike, “2020 Global Threat Report.” [Online]. Available: https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf. [Accessed: 23-Apr-2020]
  1. “Defense Evasion Dominant in Top MITRE ATT&CK Tactics of 2019,” Recorded Future, 31-Mar-2020. [Online]. Available: https://www.recordedfuture.com/mitre-attack-tactics/. [Accessed: 23-Apr-2020]
  2. “Techniques - Red Canary,” Red Canary. [Online]. Available: https://redcanary.com/threat-detection-report/techniques/. [Accessed: 23-Apr-2020]
  3. “Spearphishing Link, Technique T1192 - Enterprise | MITRE ATT&CK®.” [Online]. Available: https://attack.mitre.org/techniques/T1192. [Accessed: 23-Apr-2020]
  4. “Spearphishing Attachment, Technique T1193 - Enterprise | MITRE ATT&CK®.” [Online]. Available: https://attack.mitre.org/techniques/T1193. [Accessed: 23-Apr-2020]
  5. S. Özarslan, “The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc.” [Online]. Available: https://www.picussecurity.com/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc. [Accessed: 23-Apr-2020]

Trusted by Leading Global Companies

Akbank
Exclusive Networks
Garanti
Ing Bank
QNB Finansbank
Turkcell
Vodafone
Yapi Kredi
Datasheet Request Demo Join our Newsletter